Windows 8 privacy complaint misses the forest for the trees

Windows 8 contains a significant privacy flaw, insecurely telling Microsoft about every program you run, according to student and developer Nadim Kobeissi whose assessment fails to grasp some key technical details.

Kobeissi, who has made a name for himself with his controversial browser-based secure chat service Cryptocat, says that the flaw lies in Windows 8's SmartScreen feature. The first time you run any downloaded executable on Windows 8, the operating system sends information about that application to Microsoft. Kebeissi says that this information is sufficient to identify the application you're running, and that Microsoft could combine this with IP address information to know who was running what.

Further, Kobeissi says that the server Microsoft sends the information to supports the SSLv2 protocol, which is known to be insecure.

Microsoft's SmartScreen service was first introduced in Internet Explorer 8, as an extension of Internet Explorer 7's phishing filter. When SmartScreen is being used (which is most of the time; it is enabled by default), Internet Explorer sends every URL being visited to Microsoft's SmartScreen servers. If the servers recognize the URL as being malicious, Internet Explorer will display a warning message about the URL and impede access to it.

Google operates a similar blacklist service, offering both an online URL checker, used by Chrome, and an offline downloadable blacklist, used by Firefox and Safari.

Windows 8 extends the SmartScreen system to cover not just the URLs visited in the browser, but also files downloaded by the browser. Whenever Internet Explorer saves a file to disk, it adds information called a Zone Identifier to the file that indicates whether the file came from the Internet, the local intranet, a trusted site, or elsewhere. HTML files are additionally given the Mark of the Web to denote their origin. Third-party browsers such as Chrome do the same.

Zone Identifiers are stored as alternate data streams.

In Windows 7, running an executable that has a Zone Identifier, but which lacks a trusted digital signature, yields a generic warning message to say that the program's safety can't be vouched for. Removing the Zone Identifier prevents the warning from recurring.

When Windows 7 runs a program with a Zone Identifier and no digital signature, it prompts for confirmation that you meant to run the program.

In Windows 8, instead of merely showing a generic warning, the operating system does a SmartScreen check on the downloaded file. Because this is a file on a hard disk rather than a URL, Windows doesn't have a URL to send. Instead, as described by Rafael Rivera, it sends the file's name and a hash (and kind of cryptographic "fingerprint") of the file's contents.

The operating system then displays a warning if the file is known to be malicious.

The privacy risk that Kobeissi claims is twofold. First, Microsoft could store the executable and IP address information of every request made. This would allow the company to make some estimates of which IP addresses were running which software.

Second, due to the apparent support of the vulnerable SSLv2 protocol, a hostile party could eavesdrop on the connection and build a similar database cross-referencing IP addresses with executables.

However, calling this a significant security risk seems more than a little unwarranted.

There are some technical problems with Kobeissi's complaint. Although he says that the server supports SSLv2, that's only part of the story. Windows clients using the operating system's built-in SSL capabilities don't, by default, support SSLv2. They support SSLv3 and TLS 1.0, neither of which is vulnerable to the same eavesdropping attacks that SSLv2 is susceptible to. A comment on Kobeissi's blog states that, in practice, the connection uses TLS 1.0. While TLS 1.0 does have some flaws when used in other contexts, it rules out trivial eavesdropping by malicious third parties.

Update: Microsoft has disabled SSLv2 support from its servers, and Kobeissi has updated his blog post accordingly.

This still means that Microsoft could determine which programs individual IP addresses are using. There would be some implementation issues to address first, however. Microsoft only receives the executable name and its hash. Sometimes the executable name is useful, containing the software name and version information, but a lot of the time it will be simply "setup.exe" (unfortunately, as it's very annoying if you ever want to find the installer for a program after you've downloaded it).

This leaves the hashes. Microsoft likely doesn't have a mapping from file hashes to actual executables, so it can't immediately tell which hash corresponds to which actual executable, but it could, in principle, trawl the Web looking for executables and computing their hashes. With this, the company could know that a particular IP address was running a particular program, or at least its installer.

If Microsoft cross-referenced this with other information it collects, such as Microsoft Account information, it could possibly even associate names with executables.

When asked for comment, a Microsoft spokeswoman told us:

We can confirm that we are not building a historical database of program and user IP data. Like all online services, IP addresses are necessary to connect to our service, but we periodically delete them from our logs. As our privacy statements indicate, we take steps to protect our users’ privacy on the backend. We don’t use this data to identify, contact or target advertising to our users and we don’t share it with third parties.

With respect to the claims of SSL security and data interception risk posed by the SSL2.0 protocol, by default Windows 8 will not use this protocol with our service. Windows SmartScreen does not use the SSL2.0 protocol.

The company has also talked in the past about the privacy implications of earlier iterations of SmartScreen. Although Microsoft does collect some data (for example, it distinguishes between popular downloads and unpopular downloads, as part of its application reputation feature), that same data is also anonymized.

As such, the privacy risk here is minimal.

Enlarge/ The Windows 8 default settings enable SmartScreen both for URLs and downloaded files, as covered in the second bullet.

Additionally, one can opt out of SmartScreen entirely; it's an optional feature. The filtering is turned on by default (which we'd argue makes sense, as there is a proven practical need to protect mainstream users against malware), but Windows 8's initial setup both specifies that this kind of protection is performed (the second bullet in the list), and offers the ability, via the custom setup route, to disable it. It can also be disabled after installation through the settings dialog in Explorer.

Enlarge/ Custom installs can disable the SmartScreen for URLs and SmartScreen for files.

But fretting about SmartScreen is missing a rather larger point. Windows 8 includes within it a store. So does Windows RT, the ARM version of Windows 8. All third-party applications that use the Metro environment must be installed via the store, and for Windows RT, every third-party application must use the Metro environment. Microsoft will be collecting information about these downloads and purchases, and no doubt creating top ten lists from it.

Every time an application is downloaded or purchased from the Windows Store, Microsoft is explicitly, overtly, and necessarily informed of the download. These downloads are automatically associated with Microsoft Accounts, too, meaning that they can be paired not merely with an IP address, but with an e-mail address and, in many cases, a name and billing information.

To decry SmartScreen as a privacy risk is missing the far greater privacy risk; a privacy risk shared by every platform that has this kind of integrated store system.

Promoted Comments

I remember reading the post referenced in this article yesterday and thinking how much pointless supposition it contained to make this sound like some kind of big deal.

He scanned Microsoft's servers and deduced from the response that the server would accept SSL2.0 connections; he made no attempt to verify whether or not SmartScreen (or, indeed, *any* Windows feature) used SSL2.0 as the transport protocol. Following this, he assumes Microsoft is logging details necessary for this service to function, purely because they *could* be. Finally, extrapolating from these "could"s and "maybe"s, he goes on to suggest that Microsoft is using Windows 8 as a platform to spy on every one of its users, many of which will be business users, without their consent, not even considering the overwhelming amount of data that would need to be stored and tracked for little (no?) benefit to the company.

It sure seems like he's trying to ride the Windows 8 hate train with an inflammatory post which is light on facts and heavy on assumptions, all of which will be used by the uninformed as "yet another reason" to dislike Windows 8. It's Vista all over again, and not because of the software quality, but by the would-be journalists who can't get their facts straight before mouthing off on the internet. Props to ars for debunking this so swiftly and succinctly.